My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
niitpro
I've been banned!
Posts: 118
Joined: Sat Apr 22, 2006 3:09 pm
Contact:

My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by niitpro » Wed Apr 03, 2019 12:45 pm

Hi, the Community

Today, I got an email from my Joomla 3.9.3 warning as below
** PATTERNS MATCHED (possible hack attempts)

* Local File Inclusion $_GET['f'] => ../../../configuration.php
* Local File Inclusion $_REQUEST['f'] => ../../../configuration.php


** PAGE / SERVER INFO

*REMOTE_ADDR : 54.37.196.192
*HTTP_USER_AGENT : python-requests/2.21.0
*REQUEST_METHOD : GET
*QUERY_STRING : f=../../../configuration.php


** SUPERGLOBALS DUMP (sanitized)

*$_GET DUMP:
Array
(
[f] => ../../../configuration.php
)


*$_POST DUMP:
Array
(
)


*$_COOKIE DUMP:
Array
(
)


*$_REQUEST DUMP:
Array
(
[f] => ../../../configuration.php
)
Is that mean someone is trying to hack my Joomla website?

I have upgraded it to latest version 3.9.4 and changed the database password, chmod configuration.php file to 0400. That's all I do

I also banned the IP above from Cpanel

Please advice.
Thanks

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2065
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by JAVesey » Wed Apr 03, 2019 3:46 pm

Is that a Joomla 3rd-party extension that has generated that warning or has it come from another source?
John V
Cardiff, Wales, UK
Uses Joomla 3.9.13 and PHP7.3.x

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8025
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by sozzled » Wed Apr 03, 2019 4:06 pm

What the OP is saying is that someone tried to open the file configuration.php for reading. That's all that's being claimed.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37452
Joined: Sat Apr 05, 2008 9:58 pm

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by Webdongle » Wed Apr 03, 2019 4:27 pm

** SUPERGLOBALS DUMP (sanitized) afaik shows the hack attempt failed.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

frostmakk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Sun Dec 28, 2014 9:30 am
Location: Stavanger, Norway

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by frostmakk » Wed Apr 03, 2019 4:34 pm

And the extension responsible for blocking and reporting this is https://extensions.joomla.org/extension ... injection/

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2065
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by JAVesey » Wed Apr 03, 2019 6:08 pm

niitpro wrote:
Wed Apr 03, 2019 12:45 pm
chmod configuration.php file to 0400.
The ideal permissions for configuration.php is "444"
John V
Cardiff, Wales, UK
Uses Joomla 3.9.13 and PHP7.3.x

niitpro
I've been banned!
Posts: 118
Joined: Sat Apr 22, 2006 3:09 pm
Contact:

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by niitpro » Thu Apr 04, 2019 7:40 am

I guess the component Securitycheck send the message

@JAVesey, I guessCHMOD 400 is more secure and it's still working fine

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37452
Joined: Sat Apr 05, 2008 9:58 pm

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by Webdongle » Thu Apr 04, 2019 8:03 am

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

Afflospark
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Jan 29, 2019 10:05 am

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Post by Afflospark » Sun Apr 07, 2019 11:49 am

This means somebody was trying to access your configuraion.php with python agent (hacker was python language to automate brute-force attack using default python agent ) to achieve LFI (local file inclusion)( Reading local classified files by public access and later can be used to get full access to the server).
This message was generated through one of your security extensions.

now let me tell you about permissions. In Linux 400 permission means "the only owner of the file can read the file" nobody else can't see the file. Means if you provide 400 permission to your configuration file nobody will be able to access the file. and your system will be safe somehow.


Post Reply

Return to “Security in Joomla! 3.x”